Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

Commit

Permalink
chore: Switch to wolfi to fix critical vulnerability (#421)
Browse files Browse the repository at this point in the history
* chore: Switch to wolfi to fix critical vulnerability

* nl

* fix nl

* fix

* fix

* Fix manual

* needs'

* make more clear

* toolchains

* Fix
  • Loading branch information
jakubhava authored Sep 10, 2024
1 parent 7292fda commit 276b986
Show file tree
Hide file tree
Showing 8 changed files with 52 additions and 49 deletions.
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,13 @@ updates:
labels:
- "type/update"
- "area/chore"

- package-ecosystem: "docker"
directory: "local-rest-scorer/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
commit-message:
prefix: "chore"
labels:
- "type/update"
2 changes: 1 addition & 1 deletion .github/workflows/component-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ jobs:
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*DAI Runtimes* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
"text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
}
},
{
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ jobs:
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Build templates
run: |
./gradlew --init-script init.gradle distributionZip
- name: Build images with Gradle Wrapper
run: |
./gradlew -Pversion=${{inputs.component_version}} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar
./gradlew :local-rest-scorer:build -Pversion=${{ inputs.component_version }} -x check --init-script init.gradle
docker build -t image:latest -f local-rest-scorer/Dockerfile local-rest-scorer
- name: Save docker image
run: docker save image:latest > /tmp/image.tar

- name: Save image artifact
uses: actions/upload-artifact@v4
Expand Down
8 changes: 8 additions & 0 deletions gradle/java.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,11 @@ apply from: project(":").file('gradle/java_no_style.gradle')

apply from: project(":").file('gradle/mixins/checkstyle.gradle')
apply from: project(":").file('gradle/mixins/errorprone.gradle')
apply plugin: 'java'

java {
toolchain {
languageVersion = JavaLanguageVersion.of(17)
vendor = JvmVendorSpec.ADOPTIUM
}
}
23 changes: 23 additions & 0 deletions local-rest-scorer/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76 AS builder
RUN apk add openjdk-17 bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
WORKDIR /app
COPY build/libs/local-rest-scorer-boot.jar application.jar
RUN java -Djarmode=layertools -jar application.jar extract

FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76
RUN apk add openjdk-17-jre bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
USER nonroot
WORKDIR /app
COPY --from=builder --chown=nonroot:nonroot /app/dependencies/ ./
COPY --from=builder --chown=nonroot:nonroot /app/spring-boot-loader/ ./
COPY --from=builder --chown=nonroot:nonroot /app/snapshot-dependencies/ ./
COPY --from=builder --chown=nonroot:nonroot /app/application/ ./
VOLUME /mojos
VOLUME /secrets
EXPOSE 8080
ENV DRIVERLESS_AI_LICENSE_FILE="/secrets/license.sig"
CMD ["java", "-Dmojo.path=/mojos/pipeline.mojo", "--add-opens=java.base/java.lang=ALL-UNNAMED", "--add-opens=java.base/java.util=ALL-UNNAMED", "--add-opens=java.base/java.lang.reflect=ALL-UNNAMED", "org.springframework.boot.loader.launch.JarLauncher"]
7 changes: 1 addition & 6 deletions local-rest-scorer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -275,12 +275,7 @@ Generation of this Docker image is plugged into the build process of this projec
Run the following command in the root project directory to run the `build` process.

```bash
./gradlew :local-rest-scorer:jibDockerBuild
```

Verify that the Docker image was created, and take note of the version created.
```bash
docker images --format "{{.Repository}} \t {{.Tag}}" | grep "h2oai/rest-scorer"
docker build -t rest-scorer .
```

### Run Container
Expand Down
37 changes: 1 addition & 36 deletions local-rest-scorer/build.gradle
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
plugins {
id 'com.google.cloud.tools.jib'
id 'org.springframework.boot'
}
apply from: project(":").file('gradle/java.gradle')
Expand Down Expand Up @@ -44,6 +43,7 @@ bootRun {
bootJar {
mainClass = 'ai.h2o.mojos.deploy.local.rest.ScorerApplication'
archiveClassifier = 'boot'
archiveVersion = ''
}

jar {
Expand All @@ -57,38 +57,3 @@ rootProject.distributionZip {
from bootJar.archivePath
}
}

// Docker image configuration.
jib {
from {
image = javaBaseImage
}
to {
image = dockerRepositoryPrefix + 'rest-scorer'
tags = [version]
auth {
username = System.getenv('TO_DOCKER_USERNAME') ?: ''
password = System.getenv('TO_DOCKER_PASSWORD') ?: ''
}
}
container {
jvmFlags = defaultJibContainerJvmFlags.split(" ").each { it.trim() }.toList()
user = 1001
ports = ['8080']
volumes = [
// For storing the mojo2 file with the model to be used for scoring.
'/mojos',
// For the DAI license file.
'/secrets',
]
environment = [
// The expected path to the DAI license file.
DRIVERLESS_AI_LICENSE_FILE: '/secrets/license.sig',
]
}
}

// Make docker TAR build part of the build task to ensure the image can be built.
// No pushing anywhere (not even to local docker). To push to local docker run task `jibDockerBuild` instead.
// To push to harbor use task `jib`, credentials will be needed though.
tasks.build.dependsOn tasks.jibBuildTar
4 changes: 3 additions & 1 deletion settings.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ pluginManagement {
id 'org.openapi.generator' version "${openApiGeneratorGradlePluginVersion}"
}
}

plugins {
id 'org.gradle.toolchains.foojay-resolver-convention' version '0.8.0'
}
dependencyResolutionManagement {
repositories {
mavenCentral()
Expand Down

0 comments on commit 276b986

Please sign in to comment.